You can view the source code and package the extension yourself if you are worried about that. It is only ~2000 LOC.
It is not easy to get verified in vscode marketplace, even major publishers like Qt organization are not verified much less so a solo open source developer like myself.
I have high 2 digits of extensions in my VS Code, and yours is the only one that wouldn't have a verified publisher. And I certainly have more than one from solo developers.
Qt organization (because you mentioned it) also has verification. It displays a different message (because I haven't installed anything from them):
> The extension Qt Core is published by Qt Group. This is the first extension you're installing from this publisher.
> Qt Group has verified ownership of qt.io.
> Visual Studio Code has no control over the behavior of third-party extensions, including how they manage your personal data. Proceed only if you trust the publisher.
EDIT: I'm sure there are other extensions that are also by unverified publishers. It was the first time I was hit with that message though.
The burden isn't just when I install it, I need to validate every time it's updated as well. But let's be realistic, the fact that I intrinsically trust extensions published by Microsoft isn't any better.
What are you proposing? Should I not be allowed to develop and publish an extension that I think is useful?
> nobody will do that
"nobody" is a strong word. Yes, most people don't do that, but if a single person reads the source code and finds something nefarious they can report it or leave a review disclosing that and my reputation would be ruined.
IMO you should avoid installing editor extensions generally. It's better to try to get them merged into the editor itself.
I don't think it's good to constrain people in some way from doing that, you should just have a personal policy of avoiding extensions you're not involved in the development of.
I thought the entire point of vscode was to be an extensible "lightweight" barebones code editor, as opposed to eg jetbrains stuff; what about vim/emacs then?
I did not by any means want to discourage you from developing things and sharing them, if anything I thank you for that.
My intention was to highlight that the SW supply chain nowadays is an insecure mess.
Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point
> Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point
You actually can depackage vscode's .vsix files (it is just a zip file) and compare the package contents to the repository.
It is not easy to get verified in vscode marketplace, even major publishers like Qt organization are not verified much less so a solo open source developer like myself.